If either of my sons expresses an interest in a cyber security career, I will be hoping that the current pressures on the CISO will have alleviated by the time they are old enough to take on the challenge. Despite the noticeable impact of Nominet’s alarming statistics in early 2019 about CISO stress levels – which continues to resonate closely with CISOs who themselves have spoken out – the situation has not improved.
In fact, CISO stress levels remain high and the negative consequences for their mental and physical well-being – not to mention their ability to carry out their job – are worsening. It is not the trend we hoped to find when we set out on our latest research, The CISO Stress Report: Life Inside the Perimeter, One Year On.
The one saving grace is that the findings provide more clarity on a situation that could become critical; as we increasingly digitalise and connect our world, cyber attacks gain greater potential to cripple businesses. In addition to speaking to 400 UK and US-based CISOs working for large companies, we also reached out to 400 C-suite executives for their views on the challenges faced by their head of cyber security. The aim was to see if beliefs and action tallied, hopefully identifying the pain points that are contributing to a working environment that could soon become intolerable, if it hasn’t already.
The top line is that almost nine in ten CISOs (88%) consider themselves to be under moderate or high levels of stress. While this represents a small decrease from 2019 (91%), the impact on their mental health has doubled year on year, now up to a worrying 48%. Also, one in four CISOs report that stress has affected their relationships with partners and children, a statistic of little surprise when we discover that many CISOs admit to avoiding taking vacations and are missing important family events like birthdays, weddings and even funerals due to the demands of their job.
It’s sobering reading, but stats like these do need context. Anyone working at a high level in a big company must carry a weighty responsibility, which can cause stress. That said, some of this could be mitigated if there was more harmony between the C-suite executives’ expectations and understanding of the role, and the reality for their CISO on the ground. And it matters, because 31% of CISOs feel their stress levels are affecting their ability to do their job.
What do the C-suite think? While they recognise the stressful position their CISO is in, 78% of them agree that their head of cyber security is working extra hours (on average, the CISO works 10 hours a week overtime) and 97% believe the security team could improve on delivering value for money for the budget they receive.
Expectations are high, and pressure is compounded by the lack of understanding of cyber threats and the landscape in which a CISO is working. Around a quarter (24%) of CISOs say that their board doesn’t accept that breaches are inevitable, despite this having become a widely acknowledged fact by experts in the field, and a fifth (20%) of CISOs expect to be fired even if they weren’t directly responsible for an incident. Indeed, the average tenure of a CISO is just 26 months, which, you could argue, could open a business to greater risk if longer term depth of knowledge around a businesses’ processes and systems to thwart vulnerabilities is not established.
How do we start to change this? As with so many tension points in business, better communication can have an immediate effect. A steady flow of information about security to the C-suite will help them better understand the situation, allowing CISOs to communicate their concerns and advice in the context of a broader analysis of the business’ security posture.
Ensuring cyber security is a regular feature at board meetings can help deepen understanding, which can in turn fuel better processes and practices. Hopefully that wider awareness and incremental knowledge will drive boards to fund more staff training and consider allowing more budget to support this key and core aspect of the business. This is something the CISOs are crying out for.
Eventually, these tweaks will start to positively impact the culture of the wider organisation, creating a working environment that is more supportive and collaborative, rather than combative and pressurised. As our own CISO, Cath Goulding, often tells me, cyber security is a team game that we all need to play together if an incident is to be avoided. Cath isn’t shirking from her responsibility, but is helping me to understand that cohesion and team work are vital to keep a company secure, because every single individual can pose a risk. It follows therefore that no single individual can bear the blame.
While our report uses the CISO as a springboard, this issue is about so much more than the wellbeing of one employee. Boards and C-suite executives – the people with the true power in a business – need to recognise that the measures that would improve the wellbeing of the CISO would concurrently raise the security posture of their whole organisation. A stressed CISO is not going to be doing their best work, and a fractured business is not going to be proactively cyber secure. This could result in the cyber attack – when it comes – being terminal. In digital times and against technological foes, we sometimes need to be better humans to keep ourselves and our businesses secure.